[PATCH] dbus-spec: introduce new PERMIT_INTERACTIVE_AUTHENTICATION

Marcel Holtmann marcel at holtmann.org
Wed Sep 3 15:12:12 PDT 2014 

Hi Lennart,

> As discussed earlier on the dbus mailing list, let's add a new flag to
> the message header, that allows clients to indicate whether they are OK
> with possiably time-intensive interactive authentication.
> 
> This is useful for authentication frameworks such as polkit, but this
> flag is supposed to be generic, and not be bound to any implementation
> of such a framework.
> 
> The dbus specification already clarifies that unknown flags must be
> ignored, the reference implementation and the other implementations i
> checked indeed ignore any new flags, hence we should be fine with
> compatibility here.
> 
> This patch simply updates the spec, it does not add new APIs for this to
> the reference implementation.
> 
> I also posted a bugzilla ticket for this:
> 
> https://bugs.freedesktop.org/show_bug.cgi?id=83449
> 
> ---
> doc/dbus-specification.xml | 24 ++++++++++++++++++++++++
> 1 file changed, 24 insertions(+)
> 
> diff --git a/doc/dbus-specification.xml b/doc/dbus-specification.xml
> index 1b740fe..3fdc9bb 100644
> --- a/doc/dbus-specification.xml
> +++ b/doc/dbus-specification.xml
> @@ -1351,6 +1351,30 @@
>                   for the destination name in response to this message.
>                 </entry>
>               </row>
> +              <row>
> +                <entry><literal>PERMIT_INTERACTIVE_AUTHENTICATION</literal></entry>
> +                <entry>0x4</entry>

why not use the term ALLOW_INTERACTIVE_AUTHENTICATION. The term "permit" is not used in the specification at the moment, but "allow" has been used in the RequestName flags.

> +                <entry>This is a hint that may be set on a method call
> +                message that informs the receiving side that the
> +                caller is OK if possibly time-intensive interactive
> +                user authentication may take place before the method
> +                call will complete. A client may set this flag if it
> +                is prepared to wait for a longer time before the
> +                method call returns, and if its UI may be interrupted
> +                by interactively querying the user for passwords or
> +                confirmation. This flag is only useful when
> +                unprivileged code calls a more priviliged method call,
> +                and an authentication framework is deployed that
> +                allows possibly interactive authentication. If no such
> +                framework is deployed it has no effect. This flag
> +                should not be set by default by client
> +                implementations. If it is set the caller also should
> +                set a suitably long timeout on the method call to make
> +                sure the user interaction may complete. This flag is
> +                only valid for method call messages, and shall be
> +                ignored otherwise.
> +                </entry>
> +              </row>
>             </tbody>
>           </tgroup>
>         </informaltable>

Regards

Marcel

More information about the dbus mailing list